The value of the _docbase request parameter is copied into the HTML document as plain text between tags. The payload pbbux<script>alert(1)</script>ubblj was submitted in the _docbase parameter. It resulted in Reflected XSS.PoC:

Get link

Facebook

Twitter

Pinterest

Email

Other Apps

Comments

Post a Comment

Popular posts from this blog

Stored XSS in Documentum D2
Documentum D2 version 4.6 is vulnerable to Stored XSS by HTML encoded value of a XSS payload to bypass the protection.
This bug was reported by Vipin Chaudhary and a CVE ID: CVE-2018-7659 has been assigned to it. Steps to reproduce:

1. Login with your credentials in documentum d2
2. Go to import and upload any image file
3. then go to properties and click edit to change the document name
4. Now put &#x22;&#x3e;&#x3c;&#x69;&#x6d;&#x67;&#x20;&#x73;&#x72;&#x63;&#x3d;&#x78;&#x20;&#x6f;&#x6e;&#x65;&#x72;&#x72;&#x6f;&#x72;&#x3d;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29; as the document name which is the HTML encoded value for XSS payload
5. As it gets saved in the portal, it will trigger the Stored XSS.